Validate the project name field in wheel filenames

Author: pfmoore

packaging/utils.py

@@ -96,7 +96,11 @@ def parse_wheel_filename(filename):
         )
 
     parts = filename.split("-", dashes - 2)
-    name = canonicalize_name(parts[0])
+    name_part = parts[0]
+    # See PEP 427 for the rules on escaping the project name
+    if "__" in name_part or re.match(r"^[\w\d._]*$", name_part, re.UNICODE) is None:
+        raise InvalidWheelFilename("Invalid project name: {0}".format(filename))
+    name = canonicalize_name(name_part)
     version = Version(parts[1])
     if dashes == 5:
         # Build number must start with a digit

tests/test_utils.py

@@ -74,6 +74,13 @@ def test_canonicalize_version(version, expected):
             "1000",
             {Tag("py3", "none", "any")},
         ),
+        (
+            "foo_bár-1.0-py3-none-any.whl",
+            "foo-bár",
+            Version("1.0"),
+            None,
+            {Tag("py3", "none", "any")},
+        ),
     ],
 )
 def test_parse_wheel_filename(filename, name, version, build, tags):
@@ -84,6 +91,8 @@ def test_parse_wheel_filename(filename, name, version, build, tags):
     ("filename"),
     [
         ("foo-1.0.wheel"),
+        ("foo__bar-1.0-py3-none-any.whl"),
+        ("foo#bar-1.0-py3-none-any.whl"),
         ("foo-1.0-abc-py3-none-any.whl"),
         ("foo-1.0-200-py3-none-any-junk.whl"),
     ],